I am having trouble figuring out how to manage the polices for Endpoint encryption.

We have 3 different policies that are required for EE. One that has update number of sides turned on, one that has Update MBR enabled, and a third that has both of these options turned off. A machine that gets the wrong policy will fail to boot, or blue screen or otherwise not boot correctly.

As far as I can tell, policies can be difined on the individual machine or the group of machines in the system tree - and those are the only two options. I already have machines organized in the system tree for the other McAfee products we have. I have a group for really locked down machines, and then varying degrees of openness for HIPS and antivirus rules. I can't figure out how to introduce Endpoint Encryption into that mix. I now need to have a policy that is focusd entirely on the type of hardware. If it is a Lenovo laptop it has to get a certain EE policy. If it is a Dell laptop, it needs a different EE policy. But the Lenovo and the Dell might need to be in the same policy configuration for HIPS and VSE. Additionally, the computers auto sort on what OU they are in AD.

How should I be applying the EE policies. I would like it if I could tag a machine with a certain value and that tag would mean that It would apply a certain EE policy. Like I could have three tags for the three required types of endpoint encryption policies. Then depending on which tag the machine had applied - it would get the correct policy. I don;t think there is a way to do that though. I am totally stuck trying to figure out how to organize this. I don't want to assign policies at the individual computer level as that is way too much trouble to handle + I think it would be problematic in the future if the policy needed to change. There is a feature to filter tasks by tags. I am planning to use that feature for deployment. I will set up a EE deployment task and assign it to the computers that have a particular tag, but I don't think policies can work the same way.

I am curriuos to know how others are managing this. I am totally at a loss on how to do it.

What is the solution? The only thing I can think of is to make a single Endpoint Encryption policy and if the laptop can work with that policy then it can be encrypted, and if it can't it can't. And if it can't be encrypted it goes in the dumpster. No way I ever get a policy like that passed, by the way so I have to make this work somehow.

Applying a policy based on tag would be the best solution - I know that is not currently an option. I wouldn't mind manageing the tags manually. I'd just have 3 tags - EE-GroupA, EE-TypeB etc. I just don't want to (CANNOT!) organize my clients into specific groups solely for the purpose of EE based solely or partially on Model type. What about all the other McAfee products I have to manage? With them, it is not as big a deal if a policy is incorrectly assigned, you can just fix it. If an EE client gets assigned to a wrong policy, the machine will likely blue screen and take 6-12 hours to fix.

So I am just currious about what other people are doing about this problem. A machine can't be in two places in EPO at once. Every machine in the same group gets the same policies, so how can this be managed with Endpoint Encryption needing policies that are specifically hardware based as opposed to management rules or department or Active Directory OU based like all the other McAfee products. I can't figure out how to make it work.

That's the challenge really....identifying the system model. My response was based on the OP's comment that they were willing to manage the tags manually. I'd sure love to automate the tag assignment. But I don't know how to do it either.

I've read it and it is a starting point. But I've found the IsLaptop property to be unreliable. I have to say though that I don't yet have enough PC's in the 4.5 test environment to see if it's more accurate than it is in 4.0. In 4.0 it identifies all of our ultra small form factor Dell Optiplex's as laptops. I went through and created my own based on mobile processor models which I'm sure is still not 100% accurate, but it's close. It also does not address the OP's real problem of identifying particular make/models of laptops.

MA 4.5 has the ability to report back custom fields that are entered in the registry. If you are able to put the device model in the registry, then this could be used to apply a tag and then used to apply the policy.